Web Protection Module1 for Endpoint Security Platform

Administrator’s Guide

e Endpoint d i t Security S

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation. Trend Micro, the Trend Micro t-ball logo, OfficeScan, Damage Cleanup Services, ScanMail, and TrendLabs are service marks, trademarks or registered trademarks of Trend Micro, Incorporated. BigFix®, Fixlet® and "Fix it before it fails"® are registered trademarks of BigFix, Inc. iprevention, Powered by BigFix, Relevance Engine, and related BigFix logos are trademarks of BigFix, Inc. All other product or company names may be trademarks or registered trademarks of their respective owners. Protected by U.S. Patent No. 5,623,600; 5,889,943; 5,951,698; 6.119,165 Copyright © 2009 Trend Micro Incorporated. All rights reserved. Document Part No. WPEM14324/91006 Release Date: October 2009

The user documentation for Trend Micro™ Web Protection Module 1.0 is intended to introduce the main features of the software and installation instructions for your production environment. You should read through it prior to installing or using the software. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at [email protected]. Please evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp

Contents Preface Trend Micro Web Protection Module Documentation ...............................iv Audience ..............................................................................................................iv Document Conventions .................................................................................... v Supported Client Operating Systems ............................................................... v Hardware Requirements ...................................................................................vi Compatible Software .........................................................................................vi Incompatible Software .....................................................................................vii Process Overview .............................................................................................vii

Chapter 1: Installing Trend Micro Web Protection Module Checking for Incompatible Software ...................................................... 1-2 Deploying Trend Micro Web Protection Module Agents ................... 1-4 Uninstalling Trend Micro Web Protection Module Agents ................ 1-5 Configuring Log Maintenance ................................................................. 1-6 Configuring Proxy Settings ..................................................................... 1-10

Chapter 2: Using Trend Micro Web Protection Module Blacklist and Whitelist Policies ................................................................ 2-2 FAQs .......................................................................................................... 2-34 Support ...................................................................................................... 2-35

i

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

ii

Preface

Preface Welcome to the Trend Micro™ Web Protection Module User’s Guide. This guide contains information about product settings and service levels. Trend Micro Web Protection Module (WPM) joins its real-time visibility and control platform with your existing desktop security solution to prevent Web-based malware from infecting your users’ computers. Trend Micro Web Protection Module reduces the need for threat scanning and clean-up by intercepting malware before it reaches your users’ computers. Specifically, WPM monitors outbound Web requests, stops Web-based malware before it’s delivered, and blocks users’ access to potentially malicious Web sites in real time. This guide walks you through the installation and configuration of Trend Micro Web Protection Module, and addresses proxy settings, Web reputation technology, deploying WPM Agents, alert notifications, and uploading logs. This preface discusses the following topics: •

Trend Micro Web Protection Module Documentation



Audience



Document Conventions



Supported Client Operating Systems



Hardware Requirements



Compatible Software

iii

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide



Incompatible Software



Process Overview

Trend Micro Web Protection Module Documentation The Trend Micro Web Protection Module documentation consists of the following: Trend Micro™ Web Protection Module User’s Guide — Helps you install, plan for deployment, and configure all product settings. TrendEdge — The TrendEdge program works with Trend Micro employees, partners, and other interested parties to provide information on unsupported innovative techniques, tools, and best practices for Trend Micro products. TrendEdge is available at: http://trendedge.trendmicro.com

Audience This document is intended to be used by new users of Trend Micro Web Protection Module, including system administrators, operators, sensitive content contributors, information security staff, executives, and other users with other specific roles. The audience should have a thorough understanding of Trend Micro’s Web Protection system, including general operations and critical concepts. Familiarity with Web browsers and Web-based user interfaces are also required.

iv

Preface

Document Conventions To help you locate and interpret information easily, the Web Protection Module documentation uses the following conventions. CONVENTION

DESCRIPTION

ALL CAPITALS

Acronyms, abbreviations, and names of certain commands and keys on the keyboard

Bold

Menus and menu commands, command buttons, tabs, options, and ScanMail tasks

Italics

References to other documentation

Monospace

Examples, sample command lines, program code, Web URL, file name, and program output Configuration notes

Note: Recommendations

Tip:

WARNING!

Reminders on actions or configurations that should be avoided

Supported Client Operating Systems •

Microsoft™ Windows™ 2000 Professional Edition (with the latest service pack)



Microsoft™ Windows™ 2000 Server (with the latest service pack)



Microsoft™ Windows™ 2000 Advanced Server (with the latest service pack)



Microsoft™ Windows™ Server 2003 Enterprise Edition (with the latest service pack)



Microsoft™ Windows™ Vista™ Business Edition (with the latest service pack)



Microsoft™ Windows™ Vista™ Enterprise Edition (with the latest service pack)

v

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide



Microsoft™ Windows™ Server 2008 Enterprise Edition (with the latest service pack)



Microsoft™ Windows™ XP Professional Edition (with the latest service pack)



Microsoft™ Windows™ XP Home Edition (with the latest service pack)

Hardware Requirements •

Intel™ Pentium™ 350 MHz and above



Windows Vista needs at least Intel Pentium 800MHz



At least 128MB RAM



Windows Vista needs at least 512MB RAM



At least 250MB free disk space



IPv4 Internet connection

Compatible Software •

Trend Micro™ OfficeScan™ Client/Server Edition 7.0



Trend Micro™ Data Leak Prevention 3.1



McAfee™ VirusScan™ Enterprise 8.0i



McAfee™ VirusScan™ Enterprise 8.5i



Symantec™ Anti-Virus Corporate Edition 10.0



Symantec™ Endpoint Security and Control 7.0



BigFix™ AntiVirus (CA™ eTrust™ Anti-Virus 7.1)



CA™ eTrust™ Anti-Virus for the Enterprise r8.0

Note:

vi

Users should conduct a thorough examination of untested security products for compatibility issues before deploying Trend Micro Web Protection Module in their environment.

Preface

Incompatible Software •

Trend Micro™ RUBotted (Beta)



Trend Micro™ TrendProtect 1.2



Trend Micro™ Web Protection Add-On (Any)



Trend Micro™ OfficeScan™ Client/Server Edition 8.0



Any other Trend Micro product with Trend Micro Web Reputation Services enabled

Process Overview This procedure assumes that you have already installed the Trend Micro Endpoint Security Platform. To begin the gathering process:

1.

Obtain a masthead for the Web Protection Module site. Email http://us.trendmicro.com/us/about/company/ user_license_agreements/ to request the masthead.

2.

Add the Web Protection Module site. Double-click on the masthead file. A window will appear, asking if you want to proceed with adding the site.

3.

Click Yes.

4.

Enter your Private Key Password and click OK.

FIGURE P-1.

Private Key Password screen

At this point, the Web Protection Module site begins the gathering process, in which it collects the Fixlets, Tasks, Analyses, and other components that will be used in the WPM solution. When the gathering process is complete, the status changes to Subscribed.

vii

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

You will see a new Web Protection Module entry in the Dashboards menu and links to Web Protection Module Tasks and Wizards in your Navigation Bar. FIGURE P-2.

Web Protection Module Entry

In addition, the Web Protection Module site displays the Subscribed status in the Manage Sites window. FIGURE P-3.

viii

Manage Sites page

Chapter 1

Installing Trend Micro Web Protection Module This section provides instructions for performing the most common tasks with Trend Micro Web Protection Module. This chapter covers the following topics: •

Deploying Trend Micro Web Protection Module Agents



Uninstalling Trend Micro Web Protection Module Agents



Configuring Log Maintenance



Configuring Proxy Settings

1-1

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

Checking for Incompatible Software Trend Micro Web Protection Module includes several AUDIT fixlets that automatically detect any of the following Trend Micro products: •

Trend Micro™ OfficeScan™ Client/Server Edition 8.0



Trend Micro™ TrendProtect



Trend Micro™ Internet Security 2009



Trend Micro™ Internet Security Pro

ESP cannot install Trend Micro Web Protection Module on an endpoint if one of these applications is installed. Before you deploy the Trend Micro Web Protection Module agent to your endpoints, verify that none of your endpoints are running these applications by completing the following steps: To check for incompatible software:

1.

Click the Fixlet Messages tab.

2.

Select All Fixlet Messages > By Site > Web Protection Module.

FIGURE 1-1.

3.

1-2

Display of All Fixlet Messages

Check to see if any of the following AUDIT fixlets appear in the List Panel: •

AUDIT – Web Protection Module – Trend Micro OfficeScan 8.0 Conflict



AUDIT – Web Protection Module – Trend Micro TrendProtect Conflict



AUDIT – Web Protection Module – Trend Micro Internet Security 2009 Conflict



AUDIT – Web Protection Module – Trend Micro Internet Security Pro Conflict



AUDIT - Web Protection Module – Trend Micro Web Protect Add-on Conflict



AUDIT - Web Protection Module – Log Maintenance Not Configured

Installing Trend Micro Web Protection Module

4.

If one of the AUDIT fixlets appears, double-click on it to display the Document tabs for the message.

FIGURE 1-2.

5.

AUDIT Fixlet Document tabs

Click the Applicable Computers tab to determine which endpoint or endpoints are running the software.

FIGURE 1-3.

Applicable Computers tab

6.

Manually remove the incompatible software from the endpoint or endpoints, and then reboot.

7.

Access the Fixlet Messages tab again. The message should no longer appear.

Note:

Repeat this process for each AUDIT fixlet message that appears. You should have no AUDIT messages present when you begin deploying your Trend Micro Web Protection Module agents.

1-3

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

Deploying Trend Micro Web Protection Module Agents You will now need to deploy the applicable Trend Micro Web Protection Module tasks. To deploy Trend Micro Web Protection Module Agents:

1.

From the Tasks Navigation bar, click to View Applicable Web Protection Module Tasks link. The Web Protection Module Tasks window appears.

FIGURE 1-4.

2.

In the List Panel, click the Web Protection Module – Deploy link. The Web Protection Module – Deploy Task window appears.

3.

Click the here link located in the Actions box to begin the installation process. The Take Action window appears.

4.

In the Take Action window, select the computer(s) to which you would like to deploy the Trend Micro Web Protection Module agent. Set any desired options, such as scheduling, messages to users, and so on.

5.

Click OK when finished. The Private Key Password page appears.

FIGURE 1-5.

6.

1-4

Web Protection Module Tasks window

Private Key Password page

Enter your Private Key Password to continue.

Installing Trend Micro Web Protection Module

An Action window appears in which you can track the progress of your deployment. When it is finished, the status shows “Completed.” FIGURE 1-6.

Note:

Action window

Trend Micro recommends configuring new Trend Micro Web Protection Module agents to prevent them from accumulating overly-large URL log files. (By default, ESP does not deploy new Agents with log maintenance configured.) For more information, see the section entitled Configuring Automatic Log Maintenance for New Agents.

Uninstalling Trend Micro Web Protection Module Agents In the event you would like to uninstall the Trend Micro Web Protection Module agents, you will need to complete the steps that follow. To uninstall Trend Micro Web Protection Module Agents:

1.

From the Tasks Navigation bar, click the View Applicable Web Protection Module Tasks link. The Web Protection Module Task window appears.

2.

In the List Panel, click the Web Protection Module – Uninstall link. The Web Protection Module – Uninstall Task window appears.

FIGURE 1-7.

Web Protection Module - Uninstall Task page

1-5

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

3.

Click the here link in the Actions box. The Take Action window appears.

4.

Select the computer or computers from which you want to uninstall the Web Protection Agent and click OK. The Private Key Password window appears.

5.

Enter your Private Key Password and click OK. An Action window appears in which you can track the progress of your uninstall. When it is finished, the status shows “Pending Restart.”

FIGURE 1-8.

Action window

Configuring Log Maintenance The Web Protection Agent maintains two logs on your endpoints: •

A history of the URLs accessed on the endpoint (urlhist.txt)



A record of the threats blocked per day by the Web Protection Agent (urlthreats.txt)

Trend Micro Web Protection Module agents can accumulate very large log files. Trend Micro recommends that you configure Agents to perform automatic log maintenance regularly to prevent these files from consuming excessive disk space. Use the Web Protection Module – Log Maintenance task to set the maximum amount of time (in days) that the Web Protection Agent will maintain these logs on the endpoint. Note:

1-6

Trend Micro strongly recommends setting up a global log maintenance regimen. If you do not perform regular log maintenance, large Web Protection Module logs will accumulate on each endpoint. The existence of these logs can slow the performance of both the endpoint itself and the Web Protection Module Dashboard. To archive Web Threat logs to the ESP server for later analysis, use the Web Protection Module – Upload Web Threat Logs task. For more information on using this task, see the Uploading Logs section below.

Installing Trend Micro Web Protection Module

To enable log maintenance:

1.

From the Tasks Navigation bar, click the View Applicable Web Protection Module Tasks link. The Web Protection Module Task window appears.

2.

In the List Panel, click the Web Protection Module – Log Maintenance link. The Web Protection Module – Log Maintenance task window appears.

FIGURE 1-9.

3.

Web Protection Module - Log Maintenance page

Click the here link in the Actions window. An Action Parameter window appears.

FIGURE 1-10. Action Parameter window

This window allows you to set the number of days the Web Protection Agent maintains logs on the selected endpoints. 4.

Enter the number of days (for example, 30) you want to maintain logs, or leave the field blank to set the default (14). Click OK when finished. If desired, you can increase or decrease the frequency of the period between reapplications of the Log Maintenance action by adjusting the

1-7

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

value in the indicated drop-down. You can increase the frequency with which logs are archived to as little as 15 minutes or decrease it to as long as 30 days. 5.

The Take Action window appears and displays “Fixlet Action Defaults” in the Action Preset drop down box.

FIGURE 1-11. Take Action window

Note:

6.

1-8

On the Targeting tab, select the All Computers button to target by property.

Click the Execution tab to view the default Behavior for this Action. The default is to perform the following tasks once per day:

Installing Trend Micro Web Protection Module



Archive the current URL history and Web threat logs



Delete archived logs older than number of days you specify in Action Parameter window

FIGURE 1-12. Take Action - Applicability tab

7.

Click OK. The Private Key Password window appears.

8.

Enter your Private Key Password and click OK. An Action window appears in which you can track the progress of your change. When it is finished, the status shows “Completed.”

1-9

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

Note:

If you want to change log maintenance behavior, first find any older log maintenance actions under the Actions tab and stop them. Then repeat steps 1-8.

Note:

You can audit endpoints to ensure they are configured with a log maintenance action by checking that no machines are relevant for the “Log Maintenance Not Configured” Fixlet. Trend Micro recommends that you check this Fixlet on a regular basis.

Configuring Proxy Settings The Web Protection Agent supports the use of an internal Web proxy. It supports both password encrypted and non-password encrypted proxies.

1-10

Installing Trend Micro Web Protection Module

To configure one or more of the Agent’s proxy settings:

1.

From the Tasks Navigation bar, click the View Applicable Web Protection Module Tasks link. The Web Protection Module Task window appears.

2.

In the List Panel, click the Web Protection Module – Enable/Configure Proxy Settings link. The Web Protection Module – Enable/Configure Proxy Settings task window appears.

FIGURE 1-13. Web Protection Module - Enable/Configure Proxy Settings page

3.

If your proxy requires a password, complete the steps in the following section. Otherwise, follow the steps in the section entitled Configuring the Proxy.

1-11

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

Encrypting a Proxy String If your proxy server requires a password, you must encrypt it before you can continue. Click the tm_cli.exe link in the Web Protection Module – Enable/Configure Proxy Settings document page to download a zipped version of the password encryption utility. 1.

Unzip the tm_cli.zip file and place both the tm_cli.exe and TmpxCfg.dll contents in a folder or target_directory that you can easily access.

2.

Open a DOS Command window and use the cd command to navigate to your target_directory.

3.

Enter the following command where the password you want to encrypt appears in italics. C:\target_directory\tm_cli.exe ACT_ENCRYPT_STRING password.

FIGURE 1-14. Command prompt

4.

1-12

Copy and paste the encrypted string that appears under the command into a text editor, such as Windows Notepad, and save it for later use.

Installing Trend Micro Web Protection Module

Configuring the Proxy You must configure the proxy settings as described in the section that follows. To configure the proxy:

1.

Access the Web Protection Module – Enable/Configure Proxy Settings document page and click the here link in the Actions window. The first of four Action Parameter windows appears.

FIGURE 1-15. Action Parameter window 1

2.

Enter the IP address or hostname of the Web proxy your wish to use and click OK. A second window appears, prompting you for the number of the proxy server port you wish to use.

FIGURE 1-16. Action Parameter window 2

1-13

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

3.

Enter the port number and click OK. Another window appears asking for the username for accessing the proxy.

FIGURE 1-17. Action Parameter window 3

4.

Enter the username you would like to use. If your proxy does not require a username, leave the field blank. When you are finished, click OK. Another window appears, asking you to enter the password you would like to use to access the proxy.

FIGURE 1-18. Action Parameter window 4

1-14

5.

If you do not use a password to access the proxy, leave the field blank. Otherwise, copy and paste the encrypted string you saved earlier into the indicated field and click OK. The Take Action window appears.

6.

Select the computers for which you would like to use the proxy and click OK. A window appears asking for your Private Key Password.

Installing Trend Micro Web Protection Module

7.

Enter your Private Key Password and click OK. An Action window appears in which you can track the progress of your uninstall. When it is finished, the status shows Completed.

FIGURE 1-19. Action window

Disabling a Proxy Server You can also disable a proxy server without uninstalling it. To disable one or more Agent’s proxy settings:

1.

From the Tasks Navigation bar, click the View Applicable Web Protection Module Tasks link. The Web Protection Module Task window appears.

2.

In the List Panel, click the Web Protection Module – Disable Proxy Server link. The Web Protection Module – Disable Proxy Server window appears.

FIGURE 1-20. Web Protection Module - Disable Proxy Server page

3.

Click the here link in the Actions box. The Take Action window appears.

4.

Select the computer or computers for which you want to disable the proxy server and click OK. The Private Key Password window appears.

5.

Enter your Private Key Password and click OK. A window appears in which you can track the progress of your Action. When it is finished, the status shows Completed.

1-15

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

Note:

Because ESP saves the proxy configuration for each user, you can easily re-enable the use of the proxy by running the Enable/Configure Proxy Settings task again.

Disabling Web Reputation Technology This section contains instructions for disabling Trend Micro Web Reputation Technology (WRT). WRT uses a “reputation score” calculated by heuristics and an “in-the-cloud” database of known threats to detect and block security risks in outbound Web requests. WRT is activated by default when you install the Web Protection Agent on a computer. To disable WRT:

1.

From the Tasks Navigation bar, click the View Applicable Web Protection Module Tasks link. The Web Protection Module Task window appears.

2.

In the List Panel, click the Web Protection Module – Disable Web Reputation Technology link. The Web Protection Module – Disable Web Reputation Technology task window appears.

FIGURE 1-21. Web Protection Module - Disable Web Reputation Technology page

1-16

3.

Click the here link in the Actions box. The Take Action window appears.

4.

Select the computer or computers in the window and click OK. The Private Key Password window appears.

Installing Trend Micro Web Protection Module

5.

Enter your Private Key Password and click OK. An Action window appears in which you can track the progress of your change. When it is finished, the status shows Completed.

Enabling Web Reputation Technology You can enable Trend Micro Web Reputation Technology (WRT) for one or more endpoints. Complete the steps that follow:

1.

From the Tasks Navigation bar, click the View Applicable Web Protection Module Tasks link. The Web Protection Module Task window appears.

2.

In the List Panel, click the Web Protection Module – Enable Web Reputation Technology link. The Web Protection Module – Enable Web Reputation Technology task window appears.

FIGURE 1-22. Web Protection Module – Enable Web Reputation Technology page

3.

Click the here link in the Actions window. The Take Action window appears.

4.

Select the computer or computers in the window and click OK. The Private Key Password window appears.

5.

Enter your Private Key Password and click OK. An Action window appears in which you can track the progress of your change. When it is finished, the status shows Completed.

1-17

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

Configuring the Web Reputation Technology Security Level Trend Micro Web Protection Module enables you to set security levels for your endpoints. You can choose one of the following settings for each endpoint or group of endpoints: TABLE 1-1.

1-18

High

Blocks URLs that have a malicious payload, those that are very likely to have a malicious payload, and those that are likely to have a malicious payload.

Medium

Blocks URLs that have not yet been evaluated, those that have a malicious payload, and those that are very likely to have a malicious payload.

Low

Blocks only those URLs that contain a malicious payload.

Installing Trend Micro Web Protection Module

To set the WRT security level for one or more of your endpoints:

1.

From the Tasks Navigation bar, click the View Applicable Web Protection Module Tasks link. The Web Protection Module Task window appears.

2.

In the List Panel, click the Web Protection Module – Configure Web Reputation Technology Security Level link. The Web Protection Module – Configure Web Reputation Technology Security Level Task window appears.

FIGURE 1-23. Web Protection Module – Configure Web Reputation Technology Security Level page

3.

In the Actions box, click the here link for the security level you want to set. The Take Action window appears.

4.

Select the computer or computers to which you want to apply the security level in the window and click OK. The Private Key Password window appears.

5.

Enter your Private Key Password and click OK. An Action window appears in which you can track the progress of your change. When it is finished, the status shows Completed.

Enabling Alert Notification for Detected Threats This feature is turned off by default when you install the Web Protection Agent on a computer. The Web Protection Agent can display a pop-up notification in addition to the browser notification normally displayed each time it detects a threat. This feature is

1-19

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

helpful if individuals in your environment use something other than a Web browser to access potentially bad sites. When activated, this feature displays a pop-up window like the one that follows that appears for 30 seconds in the lower left corner of the screen whenever the Agent detects a threat. FIGURE 1-24. Threat Detection screen

Note:

1-20

Threat events are also recorded in the logs. See the sections on Log Maintenance and Viewing Analyses for more information.

Installing Trend Micro Web Protection Module

To enable alert notification:

1.

From the Tasks Navigation bar, click the View Applicable Web Protection Module Tasks link. The Web Protection Module Task window appears.

2.

In the List Panel, click the Web Protection Module – Enable Alert Notification for Detected Threats link. The Web Protection Module – Enable Alert Notifications for Detected Threats task window appears.

FIGURE 1-25. Web Protection Module – Enable Alert Notifications for Detected Threats page

3.

Click the here link in the Actions window. The Take Action window appears.

4.

Select the computer or computers in the window and click OK. The Private Key Password window appears.

5.

Enter your Private Key Password and click OK. An Action window appears, in which you can track the progress of your change. When it is finished, the status shows Completed.

Disabling Alert Notification for Detected Threats You can also disable alert notifications for detected threats.

1-21

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

To disable alert notification:

1.

From the Tasks Navigation bar, click the View Applicable Web Protection Module Tasks link. The Web Protection Module Task window appears.

2.

In the List Panel, click the Web Protection Module – Disable Alert Notification for Detected Threats link. The Web Protection Module – Disable Alert Notifications for Detected Threats task window appears.

FIGURE 1-26. Web Protection Module – Disable Alert Notifications for Detected Threats page

3.

Click the here link in the Actions window. The Take Action window appears.

4.

Select the computer or computers in the window for which you want to disable the notification pop-up and click OK. The Private Key Password window appears.

5.

Enter your Private Key Password and click OK. An Action window appears in which you can track the progress of your change. When it is finished, the status shows Completed.

Uploading Logs Use this task to upload the current and archived Web threat (urlthreats.txt) and URL history (urlhist.txt) logs stored on the selected endpoints to the ESP server. This task is useful for archiving or using a third-party tool to perform analyses on your endpoint logs. When you use this task, the Web Protection Agent uploads copies of the logs to the following directory on the ESP server and deletes them from the endpoint: \UploadManagerData\BufferDir\ sha1\\\

1-22

Installing Trend Micro Web Protection Module

To see the client ID for an individual endpoint, see the Properties area of the Computer Summary tab. To upload logs to the ESP server:

1.

From the ESP Tasks Navigation bar, click the View Applicable Web Protection Module Tasks link. The Web Protection Module Task window appears.

2.

In the List Panel, click the Web Protection Module – Upload Web Threat Logs link. The Web Protection Module – Upload Web Threat Logs task window appears.

FIGURE 1-27. Web Protection Module – Upload Web Threat Logs page

3.

Click the here link in the Actions window. The Take Action window appears.

4.

Select the computer or computers in the window containing the logs you want to upload and click OK. The Private Key Password window appears.

5.

Enter your Private Key Password and click OK. An Action window appears in which you can track the progress of your change. When it is finished, the status shows Completed.

1-23

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

1-24

Chapter 2

Using Trend Micro Web Protection Module This section provides instructions on using the Web Protection Module. This chapter covers the following topics: •

Blacklist and Whitelist Policies



Support



FAQs

2-1

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

Blacklist and Whitelist Policies The Web Protection Module Blacklist-Whitelist Wizard enables you to create and maintain global lists of Web sites in the form of policies that you can use to control your user’s Web access. After you have defined these policies, you use them to create Custom Tasks that you can then apply to your endpoints. There are two types of URL lists that you can create and group into policies by using the Wizard: •

Blacklists – These are lists of blocked Web sites. If the endpoint tries to access a site on one of these lists, it receives a message in its Web browser indicating that access to the site has been blocked.



Whitelists – These are lists of Web sites that you allow your endpoints to access without restriction.

Note:

Use care when selecting sites for Whitelists. After a site is added to a Whitelist, it will no longer be checked. Therefore, endpoints connecting to that site would no longer be protected by WPM, should that site become a host for malware at some point in the future.

By creating multiple tasks, you can apply different sets of Blacklist and Whitelist policies to different users or groups of users. You can perform the following tasks using the Wizard: •

Create and Deploy a New Blacklist / Whitelist Policy



Create and Deploy a New Blacklist / Whitelist Policy by importing an existing list



View an existing Blacklist / Whitelist Policy



Copy a Blacklist / Whitelist Policy



Copy and edit a Blacklist / Whitelist Policy



Delete a Blacklist / Whitelist Policy

Note:

2-2

The Blacklist/Whitelist file import feature requires that ActiveX controls are enabled in your browser. If you do not have this feature enabled, you will receive an error. For more information, check: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=514.

Using Trend Micro Web Protection Module

Creating and Deploying a New Policy This section describes how to create and deploy a new blacklist/whitelist policy. To create a new Blacklist / Whitelist policy:

1.

Click Wizards > Web Protection Module Blacklist - Whitelist Wizard to access the Web Protection Module Blacklist-Whitelist Wizard from the ESP Console menu bar. The Blacklist-Whitelist Wizard Policy Management window appears, showing a list of all currently available policies:

FIGURE 2-28. Blacklist-Whitelist Wizard Policy Management window

2-3

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

2.

Click New. The Blacklist-Whitelist Configuration – New Policy window appears with the Blacklist tab open by default.

FIGURE 2-29. Blacklist-Whitelist Configuration – New Policy window

2-4

Using Trend Micro Web Protection Module

3.

Enter a name for your policy in the Policy Name field.

FIGURE 2-30. Policy Name field

4.

In the Blacklist pane below the Policy Name field, enter, copy or paste the URLs you want to block. You can enter up to 500 URLs. You also must have “http://” before each URL entry. To block all the pages for a site, enter the name of the domain followed by “/*”, for example: http://www.badURL.com/*

2-5

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

Note:

You can block as many as 500 URLs per policy. If you wish to block more, create a different policy for each category of URLs you want to block.

Note:

If you do not want to include a Whitelist in the policy, you can skip this part of the process. The Web Protection Module allows you to create Blacklist / Whitelist policies with both list types (Blacklist and Whitelist), only a Blacklist, or only a Whitelist.

5.

To enter a Whitelist, click the Whitelist tab. The Whitelist pane appears.

6.

In the Whitelist pane, enter or copy and paste the URLs you want your users to be able to access without restriction. You can enter up to 499 URLs per policy. You also must have “http://” before each URL entry. To grant access to all the pages on a site, enter the name of the domain followed by “/*”, for example: http://www.goodURL.com/*

2-6

Using Trend Micro Web Protection Module

7.

When you are finished creating your policy, click Finish. The Edit Task window appears.

FIGURE 2-31. Edit Task window

8.

Enter the name of your Blacklist / Whitelist policy in the Name field. This ensures that the name of the policy appears as the name of the custom task when you generate it.

9.

Click OK.

10. Enter your Private Key Password and click OK.

2-7

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

11. In the Filter Panel, click My Custom Tasks. Your new Blacklist / Whitelist policy appears in the List Panel. FIGURE 2-32. List Panel screen

12. Double-click the name of your new Blacklist / Whitelist policy. The task pane for the policy appears. FIGURE 2-33. Task Pane screen

13. Click the here link in the Actions window. The Take Action window appears. 14. Select the computer or computers in the window to which you want to deploy your Blacklist / Whitelist policy and set any desired options (such as for scheduling, messages to users, and so on). 15. When you have finished selecting options, click OK. 16. Enter your Private Key Password and click OK.

2-8

Using Trend Micro Web Protection Module

An Action window appears in which you can track the progress as ESP deploys your Blacklist / Whitelist policy to your endpoints. When it is finished, the status shows Completed.

Importing Lists of Web Sites The Web Protection Module allows you to import URLs for new Blacklist and Whitelist policies from newline-delimited files. Note:

The Blacklist / Whitelist file import feature requires ActiveX controls enabled in your browser. If you do not have this feature enabled, you will receive an error when you try to browse to a file. For more information, check the link that follows:  http://support.bigfix.com/cgi-bin/kbdirect.pl?id=514

To create a new policy by importing lists of Blacklisted and Whitelisted Web sites:

1.

Create two text files - one for the Web sites you want this policy to block and another for the Web sites to which you want to give your users unrestricted access.

Note:

If you do not want to include a Whitelist in the policy, you can skip this part of the process. The Web Protection Module allows you to create Blacklist / Whitelist policies with both list types (a Blacklist and a Whitelist), only a Blacklist, or only a Whitelist.

2.

Press Enter or place a “newline” code at the end of each line to separate each entry. You must have “http://” before each URL entry. To block all the pages for a site, enter the domain name followed by “/*”, for example: http://www.badURL.com/*.

3.

Click Wizards > Web Protection Module Blacklist-Whitelist Wizard to access the Web Protection Module Blacklist-Whitelist Wizard from the ESP Console menu bar. The Blacklist-Whitelist Wizard Policy Management window appears.

4.

Click New. The Blacklist-Whitelist Configuration – New Policy window appears.

2-9

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

5.

Click the Import List tab. The Import List pane appears.

FIGURE 2-34. Import List tab

2-10

6.

Enter the name for the new policy in the Policy Name field.

7.

Select the text file you wish to import by either manually entering the path in the field under the Blacklist File Import / Whitelist File Import heading or by clicking Browse next to the type of file you wish to import. If you click Browse, the Open window appears.

8.

Use the Open window to navigate to the location where you have the text file.

Using Trend Micro Web Protection Module

9.

Select the file and click Open. The path to the selected file appears in the Import pane.

FIGURE 2-35. Import List pane

2-11

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

10. Click Import. An ActiveX warning message appears. FIGURE 2-36. ActiveX Warning message

11. Click Yes to import the file. If you click No, to import the list you must re-launch the Wizard and perform the import process again. After you click Yes, the Blacklist / Whitelist Wizard displays the contents of the tab associated with the file. FIGURE 2-37. Blacklist / Whitelist Wizard

2-12

Using Trend Micro Web Protection Module

12. Click Finish to end the import process and start generating the relevant Custom Action. Note:

To see the process required to finish generating your Custom Action and deploying the policy, see Steps 7-16 in the Creating and Deploying a New Blacklist / Whitelist Policy section.

Viewing an Existing Policy You can also view an existing policy. To view an existing Blacklist / Whitelist policy:

1.

Click Wizards > Web Protection Module Blacklist-Whitelist Wizard to access the Web Protection Module Blacklist-Whitelist Wizard from the ESP Console menu bar. The Blacklist-Whitelist Wizard Policy Management window appears:

FIGURE 2-38. Blacklist-Whitelist Wizard Policy Management window

2-13

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

2.

Select the name of the Blacklist / Whitelist policy you want to examine and click View. The Blacklist-Whitelist Configuration – View Policy window appears.

FIGURE 2-39. Blacklist-Whitelist Configuration – View Policy window

Notice that the contents of the Policy Name field and the Finish button are grayed out. This indicates that you are in View-only mode and you cannot make any changes. 3.

2-14

You can view either the Blacklist or Whitelist entries for this policy by clicking the appropriate tab and scrolling up or down using the arrow buttons on your

Using Trend Micro Web Protection Module

keyboard. You can also return to the Policy view by clicking Back. (In this case, the Import List feature is disabled). FIGURE 2-40. View Policy page

4.

To exit the Blacklist-Whitelist Configuration – View Policy window, click either Cancel or Close.

2-15

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

Copying and Editing a Policy The Web Protection Module enables you to create copies of existing Blacklist / Whitelist policies. Use this feature to create copies of existing policies or to create slightly modified versions of existing policies. To create a copy of an existing Blacklist / Whitelist policy:

1.

Click Wizards > Web Protection Module Blacklist-Whitelist Wizard to access the Web Protection Module Blacklist-Whitelist Wizard from the ESP Console menu bar. The Blacklist-Whitelist Wizard Policy Management window appears.

2.

Select the name of the Blacklist / Whitelist policy you want to duplicate and click Copy. The Blacklist-Whitelist Configuration – Copy Policy window appears.

FIGURE 2-41. Blacklist-Whitelist Configuration – Copy Policy window

2-16

Using Trend Micro Web Protection Module

The name of the policy appears in the form of “Copy of…” followed by the policy name you chose to copy. The Web Protection Module automatically copies the contents of the Blacklist and Whitelist fields into the new policy. 3.

Change the name in the Policy Name field to what you want it to be.

4.

Make any other changes you want to the policy. For example, in copied policies you can:

5.



Add new URLs to the copied Blacklist or Whitelist



Remove URLs from the Blacklist or Whitelist



Import and append either an external Blacklist or an external Whitelist to your Blacklist and Whitelist entries

When you have modified the policy, click Finish to end the process and to start generating the relevant Custom Action.

Note:

To see the process required to finish generating your Custom Action and deploying the policy, see Steps 7-16 in the Creating and Deploying a New Blacklist / Whitelist Policy section described previously.

Editing Custom Actions The Blacklist / Whitelist Wizard does NOT allow you to edit existing Blacklist / Whitelist policies. (You can only make modifications to new copies of policies, not the originals.) If necessary, however, you can edit the Custom Actions the Wizard generates. You can edit these Custom Actions in two different ways: •

By making modifications using the Edit Task window immediately after you click Finish to create the Custom Task



By accessing the Edit Task window AFTER you have completely generated the Custom Task

2-17

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

To make modifications using the Edit Task window, either access it as part of the Custom Task generation process or select it by right-clicking on the name of an existing Custom Task and selecting Edit. FIGURE 2-42. Edit a Custom Task pull-down

The Edit Task window consists of four tabs: •

Description



Actions



Relevance



Properties

FIGURE 2-43. Edit Task tabs

2-18

Using Trend Micro Web Protection Module

Use the Description tab to make modifications to the task name, title, and description. Use the Actions tab to view or change the Action this Custom Task performs. For example, use this window to add or remove Blacklisted or Whitelisted URLs from the presented Action Script. FIGURE 2-44. Actions tab

2-19

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

Use the Relevance tab to view and make modifications to the relevance of a Custom Task. By default, the relevance for Blacklist / Whitelist is static. Its purpose is to detect endpoints for the Web Protection Module. FIGURE 2-45. Relevance tab

2-20

Using Trend Micro Web Protection Module

Use the Properties tab to view and modify the properties of this custom task. FIGURE 2-46. Properties tab

When you have finished making modifications, click OK. When the Private Key Password window appears, enter your password and click OK again. The edited/changed Blacklist / Whitelist policy appears in the List Panel when you choose My Custom Tasks.

Deleting a Policy Complete the steps that follow to delete an existing Blacklist / Whitelist policy from the Wizard’s Policy Management list.

2-21

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

To delete a policy:

1.

Click Wizards > Web Protection Module Blacklist-Whitelist Wizard to access the Web Protection Module Blacklist-Whitelist Wizard from the ESP Console menu bar. The Blacklist-Whitelist Wizard Policy Management window opens.

2.

Select the name of the Blacklist / Whitelist policy you want to delete and click Remove. The Remove window appears.

FIGURE 2-47. Remove window

3.

Click OK. The Web Protection Module removes the policy from the Blacklist-Whitelist Wizard Policy Management window.

4.

Click Quit to exit the Wizard.

Note:

The Blacklist-Whitelist Wizard Remove feature only deletes the policy from the Management list. It does not delete the Custom Task you created with the policy. To completely remove the Blacklist-Whitelist policy from your endpoints, complete the steps that follow.

5.

Select the name of the policy you wish to delete in the My Custom Tasks list and right-click. The right-click menu appears.

6.

Select Remove from the right-click menu. The Remove Task confirmation window appears.

FIGURE 2-48. Remove Task window

2-22

Using Trend Micro Web Protection Module

7.

Click OK. The Private Key Password window appears.

8.

Enter your Private Key Password and click OK. ESP displays a series of messages as it removes the Custom Task from the affected WPM Agents and the List Panel.

Analyses The Web Protection Module allows you to view detailed information about an endpoint or group of endpoints protected by a Web Protection Agent. By default, Trend Micro delivers these analyses activated. Use the Client Information analysis to view information about each endpoint protected by a Web Protection Module Agent. You can use this analysis to view the following Properties of each endpoint: TABLE 2-2. F IELD N AME

F IELD D ESCRIPTION

WPM Version

The version of the Web Protection Module Agent installed on the endpoint

WPM Installation Date

The date the Web Protection Module Agent was installed

Number of Web Threats Found

The number of Web threats encountered and recorded in the endpoint’s CONFIG.INI file

Web Reputation Technology Enabled/Disabled

The status of the Agent’s Web Reputation feature (Enabled/Disabled)

Web Reputation Technology Security Level

The security level for the Web Reputation feature (High, Medium, or Low)

Alert Notification for Detected Threats

Whether or not the alert notification feature for detected threats is enabled

Proxy Server Enabled/Disabled

If a proxy server is enabled/disabled

2-23

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

TABLE 2-2. F IELD N AME

F IELD D ESCRIPTION

Proxy Server Address

The address of the proxy server

Proxy Server Port

The port being used by the proxy server

Proxy Server User Name

The user name used by the client to connect to the proxy server

Blacklist-Whitelist Policy

The name of all Blacklist / Whitelist policies deployed to the Agent

Number of Days since Last Log Maintenance

The number of days that have elapsed since you last performed Log Maintenance

Log Age Deletion Threshold

The number of days that logs will be kept on the endpoint before they are deleted (the log age deletion threshold)

The Site Statistics analysis displays statistical information about the number of Web sites accessed by an endpoint. You can use this analysis to view the following: TABLE 2-3. F IELD N AME

2-24

F IELD D ESCRIPTION

Blocked Sites

The number of Web sites blocked by an endpoint

Visited Sites

The number of Web sites visited by an endpoint

Using Trend Micro Web Protection Module

Viewing the Client Information Analysis The following section describes how to view and analyze client information. To view a client information analyses:

1.

Click the Analyses tab. The List Panel changes to show all available analyses.

2.

Click All Applicable Analyses.

3.

Click the “+” sign and then click By Site.

4.

Click Web Protection Module.

The Web Protection Module presents you with two analyses: •

Web Protection Module – Client Information



Web Protection Module – Site Statistics

5.

Double-click the Web Protection Module – Client Information analyses link. The Web Protection Module – Client Information window appears.

FIGURE 2-49. Web Protection Module – Client Information window

2-25

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

6.

To view the details about each property, click the Applicable Computers tab.

FIGURE 2-50. Applicable Computers tab

You can view the analysis property results in either List or Summary format. To select a perspective, choose the desired format from the drop down box in the upper-right corner of the analysis in the Results tab. FIGURE 2-51. View as Summary option

7.

2-26

If you wish to deactivate the analysis, return to the click here link in the Action window.

Using Trend Micro Web Protection Module

Viewing the Site Statistics Analysis You can also view the site statistics analysis. To view the site statistics analysis:

1.

Click the Analyses tab.

2.

The List Panel shows all available analyses.

3.

Click All Applicable Analyses.

4.

Click the “+” sign and then click By Site.

5.

Click Web Protection Module. The Web Protection Module presents you with a list of both available analyses.

6.

Double-click the Web Protection Module – Site Statistics analyses link. The Web Protection Module – Site Statistics window appears. The window displays information on the two Web Protection Agent properties you can view with the analysis: •

Blocked Web sites



Visited Web sites

FIGURE 2-52. Web Protection Agent properties

2-27

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

7.

To view the details of each property, click the Results tab.

FIGURE 2-53. Results tab

You can view the analysis property results as either a list or in summary form. To select a perspective, choose the desired format from the drop down box in the upper-right corner of the analysis in the Results tab. FIGURE 2-54. Blocked/Visited Sites page

2-28

Using Trend Micro Web Protection Module

8.

To deactivate the analysis, return to the click the here link in the Action window.

The Web Protection Module Dashboard The Web Protection Module provides a dashboard that enables you to view statistics about the Web sites users’ access and the number of threats that it blocks. You can access the Dashboard in one of two ways:

1.

To access the Dashboard from the ESP Console, select Dashboards > Web Protection Module.

2.

To access the Dashboard from Web Reports, click Reports then click the Web Protection Module Dashboard link in the Content Reports area of the Report Management pane.

The Web Protection Module Dashboard provides summary information about the Web threats blocked by each Web Protection Agent. When you initially see the screen, it displays information for all deployed Web Protection Agents. FIGURE 2-55. Web Protection Module Dashboard page

You can use the Web Protection Module Dashboard to view overall Web statistics or drill down to the individual endpoints.

2-29

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

Note:

The Web Protection Module Dashboard only reports the information that is currently on each endpoint. If you have both a Log Maintenance and a corresponding Log Upload policy in place (which Trend Micro recommends as a best practice), historical information older than your specified aging threshold is archived on the ESP server.

Note:

To see historical information for blocked and visited sites, review the log entries in the following directory:  \UploadManagerData\BufferDir\sha1\\\

Statistics are available for the following parameters:

2-30

Using Trend Micro Web Protection Module



Filters—Use these filters to restrict and organize Dashboard information. After you set them, these settings enable you to do the following:

TABLE 2-4. F ILTER C ATEGORY Filter by Date

D ESCRIPTION Set the date and time range of the information you want displayed in the Blocked Sites and Visited Sites tables. The entries default to the current date and time in a 24-hour format beginning at 00:00 hours and ending at 23:59 hours. To change the date range, you can either:

• Choose each day by picking it from a calendar that you display by clicking the Calendar icon.

• Enter each date manually. To change the time, you can either:

• Use the arrow keys to select the appropriate hours and minutes.

• Enter the times manually. Filter by URL

Display information for specific URLs. If a URL is blocked, it appears in both the Blocked Sites and Visited Sites tables. If the URL was not blocked, information for it only appears in the Visited Sites table.

Filter by Device

Display information in the Blocked Sites and Visited Sites tables for only those Web Protection Agents meeting the specified criteria. This feature allows you to use a modified version of the ESP Console’s Find feature to search for endpoints containing the specified property or properties (for example, OS, subnet, computer name, and so on). To access the Find feature, click (edit). The following illustration depicts this window:

2-31

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide





Blocked Sites—This table lists the Web sites blocked for the endpoints specified using Filters. Information is displayed by: •

URL



Most Recent Block



Number of Blocks



Blocked Devices

Visited Sites—This table lists the Web sites visited by endpoints using Filters. Information is displayed by: •

URL



Number of Visits



Number of Devices

You can also resize the display according to your needs by moving one of the “handle” icons. Additionally, a Refresh button is available to clear any modified selections and reload the default values.

Further Refining Dashboard Listings In addition to restricting the information in Blocked and Visited Sites tables through filter options, you can also sort and “drill down” to the individual endpoints using the Web Protection Module Dashboard.

2-32

Using Trend Micro Web Protection Module

To further sort a display, click or double-click on a column header. The header color changes and displays an arrow to indicate least to greatest (up arrow) or greatest to least (down arrow) number of entries. FIGURE 2-56. Visited Sites page

Additionally, you can create “ad-hoc” listings and drill down to individual endpoints by double-clicking an entry in the Number of Devices column. FIGURE 2-57. Ad-Hoc Listings

2-33

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

FAQs What is the performance impact of the Web Protection Module Agent on network performance? The Web Protection Module Agent is very lightweight and requires no pattern updates. It checks for Web threats when the user accesses the Internet by performing a lookup on an “in-the-cloud” database. The Web Protection Module Agent uses the site’s “reputation” score and a security level set by the Console Operator to block access to suspicious sites. Web Protection Module database lookups are optimized to use very little bandwidth (similar in size to a DNS lookup) and have a negligible impact on network performance. Does the Web Protection Module Agent run on server class computers? Yes. It fully supports systems running Windows 2000 Server, Windows Server 2003 and Windows Server 2008. Can Web Protection Module logs be used with other event systems for correlation and long term storage? Yes. The Web Protection Module solution fully supports integration with SIM, SIEM, or log parsing systems. Web Protection Module URL history and blocked URL logs can either be pulled directly from the ESP server or from the individual Agents themselves. How long does it take the Web Protection Module Agent to upload logs and what happens if the Agent is disconnected from the network? The interval that the agent uses to send logs to the server is configurable, but the default is once per day. If the agent is not connected to the network, it uploads copies of the logs the next time it is connected to the network. Can the user disable the Web Protection Module Agent? Only when the user has administrative rights to their computer.

2-34

Using Trend Micro Web Protection Module

Support Search the Trend Micro User Forums for discussion threads and community-based support on a wide variety of topics. For questions or troubleshooting issues, search the list of available articles in the Trend Micro Knowledge Base at http://support.trendmicro.com. Get technical assistance from Trend Micro’s support team from anywhere in the world: United States (866) 752-6208 International (661) 367-2202 support.trendmicro.com

2-35

Trend Micro™ Web Protection Module 1.0 Administrator’s Guide

2-36